z/osmf v2.2 implementation and configuration - … · z/osmf v2.2 implementation and configuration...

© Copyright IBM Corporation 2015. These materials may not be reproduced in whole or in part without the prior written permission of IBM.

z/OSMF V2.2 Implementation and

Configuration

Greg DaynesIBM STSM – z/OS Installation and Deployment Architect

1September 2015© Copyright IBM Corporation 2015. These materials may not be reproduced in

whole or in part without the prior written permission of IBM.

Agenda

• Background

• Overview of z/OSMF

• z/OSMF V1 (R11-R13) Configuration

• z/OSMF V2.1 Configuration

• Configuration Changes for z/OSMF V2.2

• New user setup to configure z/OSMF “base”

• Existing user migrating to z/OSMF V2.2

• Accessing the z/OSMF Welcome Page

• Adding additional “plug-ins”

• Configuring the z/OS requisites

• Configuring z/OSMF to include the “plug-ins”

• Adding External Plug-ins (e.g., SDSF)

• Secure Communication Between z/OSMF Instances

• Authorizing users to z/OSMF



Agenda

• Background
















IBM z/OS Management Facility

• The IBM z/OS Management Facility is a

now a part of z/OS V2.2 that provides

support for a modern, Web-browser

based management console for z/OS.

• It helps system programmers more

easily manage and administer a

mainframe system by simplifying day to

day operations and administration of a

z/OS system.

• More than just a graphical user interface,

the z/OS Management Facility is

intelligent, addressing the needs of a

diversified skilled workforce and

maximizing their productivity. • Automated tasks can help reduce the

learning curve and improve productivity.

• Embedded active user assistance (such as

wizards) guide you through tasks and helps

provide simplified operations.



z/OS Management Facility

Configuration Assistant for z/OS Communications Server (z/OSMF V1.11) Simplified configuration and setup of TCP/IP policy-based networking functions

WLM Policy Editor (z/OSMF V1.12)Simplified management of WLM service definitions and policies. Facilitate the creation and editing of WLM service definitions, installation of WLM service definitions, and activation of WLM service policies

Resource Monitoring (z/OSMF V1.12) Provides dynamic real time metrics for system performance

Capacity Provisioning (z/OSMF V1.13) simplify the work of a z/OS CP administrator to manage connections to CPMs, view reports for domain status, active configuration and active policy.

Software Management (z/OSMF V1.13) provides a simple, structured approach to deploying SMP/E installed software, In addition, it allows for inspection of a software instance to view the product, feature, FMID content, SYSMODS, as well as the physical datasets that comprise a particular software instance. It also enables you to perform actions to analyze and report on software instances (such as identifying installed products with an announced end of service date).

z/OSMF Base Services:

•Security integration with SAF (z/OSMF V1.13)

•ISPF Web UI (z/OSMF V1.13)

•REST API for Jobs (z/OSMF V1.13)

•REST API for Data Sets and Files (z/OSMF V2.1 with PTF UI16044)

•REST API for z/OSMF Information Retrieval (z/OSMF V2.1 with PTF UI90005)

•REST API for z/OSMF Systems (z/OSMF V2.1 with PTF for APAR PI32148)

•REST API for Software Management (z/OSMF V2.1 with PTF for APAR PI32158)

•REST API for z/OSMF Workflow (z/OSMF V2.1 with PTF for APAR PI32163)•Notifications (z/OSMF V2.1) View and act on the z/OSMF notifications that have been assigned to you•Use of WebSphere Liberty Profile (z/OSMF V2.1) faster startup, uses less resources•Workflow (z/OSMF V2.1) Perform a guided set of steps, for example, to configure components or products in your installation. With PTF UI90005, A workflow step can use output from another workflow step; also a workflow step can be performed conditionally. •Import Manager (z/OSMF V2.1 with PTF UI16044) Import plug-ins, event types, event handlers, and links into z/OSMF.•System Setting - Discover the system definition that hosts the z/OSMF instance (z/OSMF V2.1 with PTF UI90005)

Problem Management & Analysis Installation, Migration, & Maintenance Configuration and Performance

Simplify and modernize the user experience and programming requirements

Incident Log (z/OSMF V1.11)provides a consolidated list of SVC Dump related problems, along with details and diagnostic data captured with each incident. It also facilitates sending the data for further diagnostics.

SDSF (z/OSMF V2.1 with PTF UI15294) provides a browser-based SDSF application designed to run in a z/OSMF environment that takes advantage of a graphical user interface.



IBM z/OS Management Facility

The Application Stack

• The z/OS Management Facility applications run on the z/OS enabling you to

manage z/OS from z/OS

– Information is presented on a PC using a browser

• The z/OS Management Facility requires:

– z/OS Communications Server

– Security definitions (SAF)

– Other components are required for specific z/OSMF plug-ins

– IBM 64-bit SDK for z/OS Java Technology Edition V7.1

z/OS Components

• Communications

Server IP

• SAF

• and others for

specific plug-ins

Browser

z/OSMF Server

• WAS Liberty profile

•z/OSMF plug-ins

IBM 64-bit SDK for z/OS

Java Technology Edition V7.1

HTTP(s)



Agenda

• Background
















z/OSMF V1 (R11-R13) Configuration

• z/OSMF used WAS OEM as its runtime environment

• Users had to first configure WAS OEM, and then configure z/OSMF (and its requisites)

• Both WAS OEM and z/OSMF:

• Used z/OS UNIX shellscripts for their configuration

• Had three (3) paths for their configuration script

• Had a bootstrap process to:

1. Define configuration parameters

2. Use those configuration parameters for security definitions

3. Use the configuration values to build their executables

• Because there weren’t many z/OSMF plug-ins, users were encouraged to initially configure all the plug-ins that they might ever use

• This resulted in some users delaying their rollout due to missing z/OS requisites



z/OSMF V1 (R11-R13) Configuration (picture)

Input

Mode

Interactive,

w/override fileInteractive,

w/o override file

Fastpath

w/override file

Configure

Prerequisites

Create

Security Definitions

Build

Executables

Input

Mode

Interactive,


w/o override file

Fastpath

w/override file

Configure

Prerequisites

Create


Build

Executables

Start session

Verify



z/OSMF V1 (R11-R13) Configuration …

• What we heard …

• Why is IBM’s “simplification” product so hard to

configure?

• Why do I need to ask my security administrator to

perform so many tasks

• How do I tell my security administrator what they

have to do since we don’t use RACF?

• Why do I have to use z/OS UNIX to configure

z/OSMF?

• Why does Incident Log have so many requisites?



Agenda

• Background
















z/OSMF V2.1 Configuration

• z/OSMF no longer used WAS OEM as its runtime environment

• It uses WebSphere Liberty Profile

• WebSphere Liberty Profile is configured as part of z/OSMF

• Users still had to configure z/OSMF (and its requisites)

• Using z/OS UNIX shellscripts for their configuration

• Choosing among three (3) paths for their configuration script

• Follow the configuration process

1. Define configuration parameters

2. Use those configuration parameters for security definitions

3. Use the configuration values to build their executables

• Users were encouraged to initially configure just the base

instance, and then all the plug-ins that they might ever use

• This resulted in a quicker startup of z/OSMF



z/OSMF V2.1 Configuration (picture)

Input

Mode

Interactive,


w/o override file

Fastpath

w/override file

Configure

Prerequisites

Start session

Verify

Create


Build

Executables



z/OSMF V2.1 Configuration …

• What we heard …

• Everybody likes the use of the WAS Liberty Profile

• Not sure how much the lack of configuring WAS OEM plays

into that

• Everybody likes the faster startup, use of less resources

(CPU and storage)

• From existing customers …

• The configuration process improved

• There are a lot of tasks my security administrator has to

perform

• RACF and (non-RACF) users liked the Security Appendix in

the z/OSMF Configuration Guide

• Why do I have to use z/OS UNIX to configure z/OSMF

• Why can’t IBM’s “simplification tool” use a graphical interface

to assist with its configuration?

• Or, its too bad z/OSMF can’t use z/OSMF to configure itself



Configuration Workflow Evolution

• z/OSMF V2.1 (GA), configuration workflow provided documentation that described instructions on how the tasks could be performed manually.

• z/OSMF V2.1 (PTF UI16044*), configuration workflow provided the a number of wizards to guide the user to implement the requisites for Incident log and configure z/OSMF to add plug-ins.

• z/OSMF V2.1 (PTF UI90005**), configuration workflow provides some discovery functions and utilizes the import function of z/OSMF configuration properties.

• z/OSMF V2.1 (PTF UI90022***), the configuration workflow now exploits conditional execution to base the steps required to setup ISPF, WLM, Capacity Provisioning, or Incident Log based on the current system configuration.

* available for z/OSMF V2.1 with PTF UI16044 and its requisite PTFs

** available for z/OSMF V2.1 with PTF UI90005 and its requisite PTFs

*** available for z/OS V2.1 with PTFs UI90019 and UI90022 and their requisite PTFs



Agenda

• Background
















z/OSMF V2.2 Configuration

• Objective

• Configure z/OSMF like other z/OS functions

• Eliminate the use of z/OS UNIX shellscripts to configure z/OSMF

• Use PARMLIB to specify configuration parameters

• Provide sample members for

• PARMLIB specification

• Security definitions

• Creation/migration of z/OS UNIX filesystem

• Utilize z/OSMF Workflows to provide a graphical interface step the user through plug-in prerequisite configuration

• Planned 4Q2015*

• Documented in the IBM z/OS Management Facility

Configuration Guide V2.2 (SC27-8419)

• Additional documentation in DOC APAR PI46099

• The PTF will be installed in all z/OS V2.2 ServerPacs!!!

Enabled by PTF UI90027 (available August 5, 2015)

* Planned. All statements regarding IBM's plans, directions, and intent are subject to change or withdrawal without notice.




• Eliminate use of z/OS UNIX Shellscripts and REXX

EXECs

• izumigrate.sh will still be used to assist in migration

• Eliminate the use of generated customized REXX

EXECs for RACF security definitions

• Eliminate configuration parameters only needed to

customize security definitions

• Eliminate the use of z/OS UNIX Shellscripts and

generated customized REXX EXECs to authorize

users to use z/OSMF




• Use PARMLIB to specify configuration parameters• PARMLIB member IZUPRMxx contains remaining configuration

parameters• Members can contain comments /* comment */• Members can use of system symbols• Members can be concatenated (xx,yy,zz,…)• Member can be in any data set in the logical PARMLIB concatenation

• IZUPRMxx is optional.• Not needed if all defaults are used

• Sample PARMLIB member provided• SYS1.SAMPLIB(IZUPRM00)

• Tip: Specify values only for those defaults that you want to override (that is, omit any statement for which the default value is acceptable). • Doing so will ensure that you always obtain the default values, even if

they happen to change in a future release.• New parameter added to the IZUSVR1 started procedure to

identify PARMLIB member(s) to use• Concatenation of members is supported

• IZUPRM=‘(xx,yy,zz)’• Default is IZUPRM=NONE




• SAMPLIB(IZUPRM00)HOSTNAME('*')

HTTP_SSL_PORT(443)

INCIDENT_LOG UNIT('SYSALLDA')

JAVA_HOME('/usr/lpp/java/J7.1_64')

KEYRING_NAME('IZUKeyring.IZUDFLT')

LOGGING('*=warning:com.ibm.zosmf.*=info:com.ibm.zosmf.environment.ui=fi

ner')

RESTAPI_FILE ACCT(IZUACCT) REGION(32768) PROC(IZUFPROC)

SAF_PREFIX('IZUDFLT')

SEC_GROUPS USER(IZUUSER),ADMIN(IZUADMIN),SECADMIN(IZUSECAD)

SESSION_EXPIRE(495)

TEMP_DIR('/tmp')

UNAUTH_USER(IZUGUEST)

WLM_CLASSES DEFAULT(IZUGHTTP) LONG_WORK(IZUGWORK)

/* Uncomment the following statement and any plugins that

are desired */

/* PLUGINS( */

/* INCIDENT_LOG, */

/* COMMSERVER_CFG, */

/* WORKLOAD_MGMT */

/* RESOURCE_MON, */

/* CAPACITY_PROV, */

/* SOFTWARE_MGMT, */

/* ISPF) */




• SAMPLIB(IZUxxSEC)• IZUSEC – defines base (“Core”) z/OSMF security definitions

• IZUCASEC – defines security definitions for Configuration Assistant

• IZUCPSEC – defines security definitions for Capacity Provisioning

• IZUDMSEC – defines security definitions for Software Management

• IZUILSEC – defines security definitions for Incident Log

• IZUISSEC – defines security definitions for ISPF

• IZURMSEC – defines security definitions for Resource Monitoring

• IZUWLSEC – defines security definitions for Workload Management

• SAMPLIB(IZUAUTH) – security definitions to authorize a

user to use z/OSMF




SAMPLIB(IZUMKFS)• Defines, formats, and temporarily mounts the z/OSMF user file system.• Initializes the z/OSMF user file system, which contains configuration settings and

persistence information for z/OSMF.• The job performs the following actions:

• Allocates the z/OSMF user file system as /var/zosmf.• Mounts the filesystem at mount point /var/zosmf:

• As a zFS type file system• With the option PARM('AGGRGROW') to allow the filesystem to grow

dynamically, as needed• With the option UNMOUNT to ensure that it is unmounted if the z/OS

system becomes unavailable• Changes the ownership and permissions and ownership of the directories and

files in the z/OSMF user file system, as follows:• The file system is owned by the IZUSVR user ID and the IZUADMIN

security group• The file system is protected with the permissions 755

• It is recommended that you give the z/OSMF file system sysplex-wide scope.• To do so, update the job to ensure that it mounts the user directory at a

shared mount point.



Agenda

• Background
















New User Setup/Configuration

Configuring an instance of z/OSMF is done by:

1. Setting up security

2. Creating the z/OSMF z/OS UNIX filesystem

3. Optionally, configuring z/OSMF parameters

4. Ensure that the SMP/E installed procedures are in your

JES PROCLIB concatenation

5. Starting the z/OSMF server

6. Update PARMLIB members or automation for subsequent

IPLs



New User Setup/Configuration …

• Setting up Security

• Run SAMPLIB(IZUSEC)

• You may need to modify the sample job to either:

• Conform to installation standards

• Uncomment out definitions based on your existing security environment

• One advantage of the SAMPLIB member(s) is that from release to release (or even after New Function PTFs) you can use ISPF to compare and identify what has changed!!!

• Of course, the first time you setup security, everything is new!

• If your installation uses a security management product other than RACF, do not use the SAMPLIB member

• Instead, your installation must create equivalent commands for your security product.

• See Appendix A in the z/OSMF Configuration Guide for a list of resources, groups, IDs, and authorizations that need to be defined to your security product.




• Creating the z/OSMF z/OS UNIX Filesystem• Run a modified SAMPLIB(IZUMKFS)

• You must select a volume for this allocation.

• By default the filesystem data set name is IZU.SIZUUSRD

• If you want to change the data set name, it needs to be changed

in three (3) steps: DEFINE, CREATE, and MOUNT

• By default the mountpoint is /var/zosmf

• It is recommended that you give the z/OSMF file system sysplex-

wide scope.

• To do so, update the job to ensure that it mounts the user

directory at a shared mount point.

• For example, /sharedapps/zosmf

• If you change the default mountpoint, you will have to change

all references of /var/zomsf in the job.




• Optionally, Configuring z/OSMF Parameters• Create one or more IZUPRMxx PARMLIB members

• Note:

• We don’t use the default Java Home Directory

• The comments shown would need to be spilt over multiple

lines due to the 72 column limit

• Eventually, you may want to modify that member, or create a new

one to specify the Plug-ins that you want to use

HOSTNAME(*) /* Defaults to the current HOSTNAME on the system */

HTTP_SSL_PORT(&ZOSMFPORT.) /* Use a user defined System Symbol defined in IEASYMxx */

JAVA_HOME('/usr/lpp/java710/java/J7.1_64') /* Location of the JAVA SDK 7.1 64-bit home directory */

PLUGINS(INCIDENT_LOG,

COMMSERVER_CFG,

WORKLOAD_MGMT,

RESOURCE_MON,

CAPACITY_PROV,

SOFTWARE_MGMT,

ISPF)




Ensure that the SMP/E installed procedures are in your JES PROCLIB

concatenation

• z/OSMF requires that the following cataloged procedures be installed on

your system:• Started procedures for the z/OSMF server: IZUANG1 and IZUSVR1.

• Logon procedure for the z/OS data set and file REST interface (IZUFPROC)

• You can use an alternative logon procedure, if it provides the same

function as the shipped IZUFPROC procedure.

• ServerPac and CustomPac users: • Ensure that SYS1.IBM.PROCLIB (or whatever you renamed it to) resides in

the JES PROCLIB concatenation.

• Or, copy its contents to a data set in the JES PROCLIB concatenation.

• CBPDO users: • Ensure that SYS1.PROCLIB (or whatever you renamed it to) resides in the

JES PROCLIB concatenation).

• Or, copy its contents to a data set in the JES PROCLIB concatenation.

• Note that these steps are the same as you would do for any SMP/E

installed cataloged procedure that is provided with z/OS.




• Starting the z/OSMF Servers• Before users can access z/OSMF, the z/OSMF server must be

active.

• To start the z/OSMF server manually, you can enter the START

command from the operator console.

• The START command specifies the procedure name to start and,

optionally, the job name to use. For example:

• START IZUANG1,JOBNAME=jobname

• START IZUSVR1,JOBNAME=jobname,IZUPRM=‘(xx,yy)’

• You ONLY need the IZUPRM parameter if you want to point to

one or more IZUPRMxx PARMLIB members for configuration

values

• Start the tasks in the following sequence: IZUANG1 followed by

IZUSVR1.

• Otherwise, z/OSMF users might encounter authorization errors

later when they attempt to log in to z/OSMF.




• Update PARMLIB members or automation for

subsequent IPLs• Copy the mount commands from the sample mount job to your

BPXPRMxx parmlib member

• Add the START commands for the started procedures to your

COMMNDxx parmlib member; or update system automation

procedures.

• Add the started procedure names to the AUTOLOG statement in

your TCP/IP profile.



Agenda

• Background
















Existing User Configuration Migration

• Configuring an instance of z/OSMF is done by:1. Run izumigrate.sh to build a customized IZUPRMxx

based on your existing configuration

2. Setting up security– Minimal changes from z/OSMF V2.1

3. Migrate the z/OSMF z/OS UNIX filesystem

4. Ensure that the SMP/E installed procedures are in your JES PROCLIB concatenation

– Same as for new user

5. Modify the Start parameters for the z/OSMF server– Same as for new user

6. Update PARMLIB members or automation for subsequent IPLs

– Same as for new user



Existing User Configuration Migration …

• Run the izumigrate.sh script on the new system using the

configuration file from your current (old) system as input.

• The script creates an IZUPRMxx PARMLIB member with values

that match the configuration values from your old system.

• When possible, the script retains your current settings.

• For any values that are no longer valid for z/OSMF, the script omits the

values when it creates the IZUPRMxx parmlib member.

• For values that already match the z/OSMF defaults, the script omits

the values from the IZUPRMxx parmlib member.

• If your existing configuration file contains commented sections (it

should not), the script removes this information from the IZUPRMxx

parmlib member.

• If an IZUPRMxx member already exists at the specified location,

the script prompts you for a response to overwrite the existing

member.

• To avoid this prompt, you can include the option -noprompt on the

script invocation.




Example of running izumigrate.sh script

• The izumigrate.sh script is used to create PARMLIB member IZUPRM01, based on your current configuration settings.

• Parameters are:• -configDir – directory of the existing (old) configuration file• -configFilePath – file name and location of the existing

configuration file• -izuprmSuffix – two (2) character suffix to be used for the

generated PARMLIB member• -parmlibDsn – data set name to be updated by the script. It does

not have to be an active data set in the PARMLIB concatenation

• The script runs extremely fast

izumigrate.sh -configDir /etc/zosmf -configFilePath /etc/zosmf/izuconfig1.cfg

-izuprmSuffix 01 -parmlibDsn SYS1.PARMLIB




• Setting up Security• You could run SAMPLIB(IZUSEC)

• However, depending on the release and PTF level that you are

coming from, most definitions could already exist.

• One advantage of the SAMPLIB member(s) is that from release

to release (or even after New Function PTFs) you can use ISPF

to compare and identify what has changed!!!

• Unfortunately, that doesn’t help going to z/OSMF V2.2

• If your installation uses a security management product other than

RACF, do not use the SAMPLIB member

• Instead, your installation must create equivalent commands for

your security product.

• See Appendix A in the z/OSMF Configuration Guide for a list of

resources, groups, IDs, and authorizations that need to be

defined to your security product.




• Migrating the z/OSMF z/OS UNIX Filesystem• Run a modified SAMPLIB(IZUMKFS)

• You must select a volume for this allocation.

• By default the filesystem data set name is IZU.SIZUUSRD

• If you want to change the data set name, it needs to be changed

in three (3) steps: DEFINE, CREATE, and MOUNT

• By default the mountpoint is /var/zosmf

• It is recommended that you give the z/OSMF file system sysplex-

wide scope.

• To do so, update the job to ensure that it mounts the user

directory at a shared mount point.

• For example, /sharedapps/zosmf

• If you change the default mountpoint, you will have to change

all references of /var/zomsf in the job.

• You will need to uncomment out the MIGRATE step (next slide)




• Migrating the z/OSMF z/OS UNIX Filesystem …• Locate the job step MIGRATE, which is commented out.

• This step contains JCL that you can use to copy the data file system from your old system to the user file system on the new system.

• Uncomment the step (JCL and input) and update it so that it references the data file system to be copied.

• In previous releases, you specified this directory on the <IZU_DATA_DIR> configuration variable, which, by default, was /var/zosmf/data.

• Ensure that the old filesystem is remounted at a different mount point; you cannot use /var/zosmf/data because that mount point will be used for the new file system.

• Specify the mount point of old file system in place of the value /OldDataFileSystemMountPoint.

//MIGRATE EXEC PGM=IKJEFT01,

// COND=((4,LT,DEFINE),(4,LT,CREATE),(4,LT,MOUNT))

//SYSTSPRT DD SYSOUT=*

//SYSTSIN DD *

BPXBATCH PGM /bin/cp -Rpv /var/oldzosmf21/data +

/sharedapps/zosmf/data

BPXBATCH PGM /bin/chown -hR IZUSVR:IZUADMIN /sharedapps/zosmf/

BPXBATCH PGM /bin/chmod -hR 755 /sharedapps/zosmf/

Replaced

/OldDataFileSystemMountPoint

with /var/oldzosmf21/data to reflect

location of old file system



Existing user migrating to z/OSMF V2.2

• Migrating to a new release of z/OSMF involves the

following steps:1. Perform actions you can perform before installing z/OSMF V2.2

• These are migration actions that you perform on your current

(old) system before you install or configure z/OSMF V2.2.

2. Perform actions you perform before configuring z/OSMF V2.2

• These are migration actions that you perform after you have

SMP/E installed z/OS V2.2, but before you have configured or

activated the product.

3. Perform actions you perform after activating z/OSMF V2.2

• These are migration actions that you can perform only after you

have started the z/OSMF server.

4. When you are certain that you will not need to fallback to your

current (old) release, you can perform the post-migration

actions to:

– Clean-up actions to perform when satisfied with the new release

– Exploit new capabilities



z/OSMF V1.13 to z/OSMF V2.2 Migration

Step Description

M1: Actions you can perform before installing z/OSMF V2.2

a. Convert to SAF Authorization Mode

M2: Actions you perform before configuring z/OSMF V2.2

a. Remove the most-generic profile for z/OSMF authorizations*

b. Authorize the z/OSMF server to create PassTickets

c. Setting up the z/OSMF started procedures

M3: Actions you perform after activating z/OSMF V2.2

a. Notify users of the correct URL to use for z/OSMF V2.2 (if you change port numbers)

b. Recreate all table filters in the z/OSMF user interface*

* Also applicable to z/OSMF 2.1 to z/OSMF 2.2 migrations



M4: Clean-up actions to perform when satisfied with the new release

• C1 - Cleanup old SAF profile prefix definitions

• C2 - Cleanup old port definitions

• C3 - Cleanup ZOSMFAD owned objects and authorizations from previous releases

• C4 - Cleanup WebSphere constructs from previous releases

• C5 - Cleanup APF Authorization for SYS1.MIGLIB

• C6: Cleanup SURROGAT Class profiles

• C7: Cleanup old configuration files• All files under /etc/zosmf (default directory)

z/OSMF V1.13 to z/OSMF V2.2 Migration



Agenda

• Background
















Accessing the z/OSMF Welcome page

• At the end of the z/OSMF configuration process, you can verify the results of your work by opening a web browser to the Welcome page.

• The URL for the Welcome page has the following format:• https://hostname:port/zosmf/where:

• hostname is the hostname or IP address of the system in which z/OSMF is installed

• port is the secure application port for the z/OSMF configuration. port is optional. If you specified a secure port for SSL encrypted traffic during the configuration process (through variable IZU_HTTP_SSL_PORT), that value is required to log in. Otherwise, it is assumed that you are using port 443, the default.

• To find the URL, see message IZUG349I, which was written to the job log file when IZUSVR1 was started.

IZUG210I: The z/OSMF Configuration Utility has completed successfully at Tue Jul

IZUG349I: The z/OSMF Server home page can be accessed at

: https://ALPS4142.POK.IBM.COM/zosmf

: after the z/OSMF server is started on your system.

Launching zosmfServer (WebSphere Application Server/wlp-1.0.9.cl50620150610-1749



z/OSMF Log in Pop-up Window

Secure authentication to z/OS host using regular

z/OS User ID and password.



z/OSMF About Pop-up Window

Pop-up window that identifies which plug-ins have

been configured and the last time the plug-in (or core

function) was updated (e.g., by service).



Agenda

• Background
















• Using the z/OSMF Workflow enables you to follow a step by step

procedure to configure the z/OS functions needed for one or more

z/OSMF plug-ins.

• Specifically, it allows you to:

• Assign individual steps to different z/OSMF users

• Notify z/OSMF users when steps are assigned to them

• Allowing them to accept the task (agree to perform it)

• Track the progress of your configuration

• Notify z/OSMF users when steps a step assigned to them is ready to

run

• Assist you in performing some tasks, or walking you though the

latest documentation for others

• The workflow is planned to be enhanced 4Q2015 to support the new

z/OSMF V2.2 configuration changes*

Use of z/OSMF Workflow for Configuration




Agenda

• Background
















Previous Procedure to Add z/OSMF Plug-ins

Action to perform Script invocation Performed by

Configure z/OSMF with

–add

izusetup.sh -file <pathname/filename>.cfg

–config -add

z/OSMF installer

(Superuser)

Run the security

commands for the added

z/OSMF Plug-ins

<IZU_CONFIG_DIR>/izuconfig1.cfg.add.IL

.CA.WLM.RMF.CP.WISPF.DM.rexx

Security

Administrator

Verify the RACF security

setup


-verify racf

Security

Administrator

Complete the setup with

–add


–finish –add

z/OSMF installer

(Superuser)

Restart the z/OSMF server P IZUSVR1

P IZUANG1

S IZUANG1

S IZUSVR1

System Operator



Adding Optional z/OSMF Plug-ins

• Your decision on which plug-ins to configure will depend on your

installation's desire to use the function, and your readiness to

perform the various z/OS system requisite customization

associated with each plug-in.

• When planning for z/OSMF, review the system pre-requisites for

each plug-in

• To add a plug-in, you must:

1. Define z/OS prerequisites for the Plug-in

– Updated Workflow planned for 4Q2015*

2. Define security definitions for the Plug-in

– Use SAMPLIB(IZUxxSEC) or Configuration Guide

3. Create/update an IZUPRMxx PARMLIB member adding the

Plug-in to the list of plug-ins to be used.

– See slide 26




Agenda

• Background
















Adding External Plug-ins (e.g., SDSF)

• Besides the optional plug-ins that are supplied with z/OSMF, your

installation can choose to add plug-ins from other sources (IBM or

other vendors) to your configuration.

• For example, the z/OS System Display and Search Facility (SDSF)

product supplies a plug-in for use with z/OSMF.

• For the installation and customization requirements for a particular

plug-in, see the documentation that is provided with the plug-in.

• To add the SDSF task to z/OSMF, you import a properties file

through the Import Manager task of z/OSMF, which is in the z/OSMF

Administration category.

• The properties file for SDSF is /usr/lpp/sdsf/zosmf/sdsf.properties

• The function provided by the SDSF task in z/OSMF is protected just

as z/OS SDSF is protected, with the same SAF resources and

ISFPARMS parameters.



Import Manager

New navigation

task for z/OSMF

Administrators



z/OSMF Import Manager ….

This is where you specify the properties

file for SDSF:

/usr/lpp/sdsf/zosmf/sdsf.properties



Import Manager …

After you import the SDSF properties file, and define the

security definitions, authorized users will see the “Jobs and

Resources” category and the SDSF Plug-in



Agenda

• Background
















Sysplex A

System 2 - backup

System 1

z/OSMF

(Local /

Primary)

HTTPS

HTTPS

Sysplex B

System 4 - backup

System 3

z/OSMF

(Remote /

Secondary)

HTTPS

Sysplex C

System 6 - backup

System 5

Browser

Poughkeepsie, NY

Las Vegas, Nev. Orlando, Fla.

z/OSMF Data

Directory

z/OSMF

(Remote /

Secondary)

Managing Multiple Sysplexes

z/OSMF Data

Directory

z/OSMF Data

Directory

All Software Management

data resides here

The Systems Task and Incident Log use data that

resides in the z/OSMF data directory in each sysplex



Planning for Secure Communication Between

z/OSMF Instances

• The primary instance communicates with other z/OSMF instances

through Secure Sockets Layer (SSL) connections.

• Each SSL connection requires an exchange of digital certificates, which are

used to authenticate the z/OSMF server identities.

• For the SSL connection to be successful, the primary instance must be

configured to trust the server certificates from the secondary instances.

• For signing the server certificates, each instance uses a certificate

authority (CA) certificate.

• Establishing a trust relationship between instances will require knowing

which CA certificate is used to sign each secondary instance server

certificate.

• If you have not yet created any secondary instances of z/OSMF, you

might find it easier to create one CA certificate and use it to sign all of

the server certificates in the primary and secondary instances.

• If your installation uses separate security databases, you must

ensure that the appropriate certificates are shared by the

participating z/OSMF instances.



Single Sign On

• Single sign-on (SSO) enables users to log into one z/OSMF instance and to

access other z/OSMF instances without getting prompted to log in again.

• z/OSMF uses the Lightweight Third Party Authentication (LTPA) security

protocol to enable a secure single sign-on environment among z/OSMF

instances.

• The LTPA protocol uses an LTPA token to authenticate a user with the

z/OSMF servers that are enabled for single sign-on.

• The LTPA token contains information about the user and is encrypted using

a cryptographic key.

• The z/OSMF servers pass the LTPA token to other z/OSMF servers through

cookies for web resources.

• If the receiving server uses the same key as the primary z/OSMF server --

the server that generated the key to be used for SSO, the receiving server

• decrypts the token to obtain the user information,

• verifies that the token has not expired, and

• confirms that the user ID exists in its user registry.

• After the receiving server validates the LTPA token, the server authenticates

the user with that z/OSMF instance, and allows the user to access any

resource to which the user is authorized.



Single Sign On …

• To establish a single sign-on environment for z/OSMF, the following requirements must be satisfied:• The z/OSMF servers participating in the single sign-on environment must

reside in the same LTPA domain as the primary z/OSMF server. • The LTPA domain name is the parent portion of the fully qualified hostname

of the z/OSMF servers. • For example, if the fully-qualified hostname is server.yourco.com, the

LTPA domain is yourco.com.• The servers must share the same LTPA key.

• For z/OSMF, this is accomplished by invoking the Enable Single Sign-on action to synchronize the LTPA key on the primary and secondary z/OSMF servers. • For instructions, see the z/OSMF online help.

• The user ID of the user must exist and be the same in all System Authorization Facility (SAF) user registries. • It is recommended that you use the same user registry settings for all

z/OSMF servers so that users and groups are the same, regardless of the server.

• The value specified for the SAF prefix during the z/OSMF configuration process must be the same for each z/OSMF server you want to enable for single sign-on. • By default, the z/OSMF SAF prefix is IZUDFLT.



Agenda

• Background
















Prior Procedure for Authorizing Users to z/OSMF

• Setting up Security1. The z/OSMF Administrator ran the izuauthuser.sh Shellscript

• izuauthuser.sh -file izuconfig1.cfg -userid userid -role role

2. The z/OSMF Administrator notified the Security Administrator of

the location of the generated REXX EXECs

3. The Security Administrator reviewed the REXX EXEC to verify that

the commands conformed to the installation standards

4. The Security Administrator ran the REXX EXEC (or the individual

security commands) connecting users to z/OSMF security groups

• Depending on what plug-ins were configured users may have

needed to be connected to additional groups

• Capacity Provisioning groups (CPOCTRL and

CPOQUERY)

• Workload Management group (WLMGRP)

• The CIM administration group (CFZADMGP)



Authorizing existing z/OS users to z/OSMF

• Setting up Security• You could run a modified SAMPLIB(IZUAUTH)

• You have to edit the job to:

• Select the z/OSMF role

• Change “USERID” to the desired user ID

• Determine if the user needs access to the Capacity

Provisioning groups (CPOCTRL and CPOQUERY), Workload

Management group (WLMGRP), and the CIM administration

group (CFZADMGP)

• If your installation uses a security management product other than

RACF, do not use the SAMPLIB member

• Instead, your installation must create equivalent commands for

your security product.

• See Appendix A in the z/OSMF Configuration Guide for a list of

resources, groups, IDs, and authorizations that need to be

defined to your security product.



Summary



Summary (1 of 3)

• Configuration Changes Enabled by PTF UI90027 (available August 5, 2015)• Eliminate the use of z/OS UNIX shellscripts to configure z/OSMF• Use PARMLIB to specify configuration parameters• Provide sample members for: PARMLIB, security definitions,

and creation/migration of z/OS UNIX filesystem • Utilize z/OSMF Workflows to provide a graphical interface step

the user through plug-in prerequisite configuration• The workflow is planned to be enhanced 4Q2015 to support the new

z/OSMF V2.2 configuration changes*

• Documented in the IBM z/OS Management Facility

Configuration Guide V2.2 (SC27-8419)• Additional documentation in DOC APAR PI46099

• The PTF will be installed in all z/OS V2.2 ServerPacs!!!




Summary (2 of 3)

• New user setup to configure z/OSMF “base” 1. Setting up security

2. Creating the z/OSMF z/OS UNIX filesystem

3. Optionally, configuring z/OSMF parameters

4. Ensure that the SMP/E installed procedures are in your JES PROCLIB

concatenation

5. Starting the z/OSMF server


• Existing user migrating to z/OSMF V2.21. Run izumigrate.sh to build a customized IZUPRMxx based on your

existing configuration

2. Setting up security

3. Migrate the z/OSMF z/OS UNIX filesystem

4. Ensure that the SMP/E installed procedures are in your JES PROCLIB

concatenation

5. Modify the Start parameters for the z/OSMF server




Summary (3 of 3)

• Unsolicited feedback from an ESP customer:• “PTF UI90027 (the "new" z/OSMF configuration fix) is applied, I

actually waited for this before I started to implement z/OSMF… I

really like this new way of configuring z/OSMF!”



Thank You



Additional Information

• z/OS Management Facility website• http://www-03.ibm.com/systems/z/os/zos/features/zosmf/index.html

• IBM z/OS Management Facility Browser Compatibility• http://www-

03.ibm.com/systems/z/os/zos/features/zosmf/browser_notes.html

• z/OS Management Facility Publications

• http://www-03.ibm.com/systems/z/os/zos/features/zosmf/moreinfo/

• IBM z/OS Management Facility Configuration Guide (SC27-8419)

• IBM z/OS Management Facility Programming (SC27-8420)

• z/OS Management Facility Resource Requirements• http://www-

03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101779

• z/OS Management Facility Downloads• http://www-03.ibm.com/systems/z/os/zos/features/zosmf/downloads/

http://www-03.ibm.com/systems/z/os/zos/features/zosmf/index.html

http://www-03.ibm.com/systems/z/os/zos/features/zosmf/browser_notes.html

http://www-03.ibm.com/systems/z/os/zos/features/zosmf/moreinfo/

http://www-03.ibm.com/support/techdocs/atsmastr.nsf/WebIndex/WP101779

http://www-03.ibm.com/systems/z/os/zos/features/zosmf/downloads/



Continue growing your IBM skills

ibm.com/trainingprovides a comprehensive

portfolio of skills and career

accelerators that are designed

to meet all your training needs.

If you can’t find the training that is right for

you with our Global Training Providers, we can

help.

Contact IBM Training at [email protected] Skills Initiative

mailto:[email protected]

z/osmf v2.2 implementation and configuration - … · z/osmf v2.2 implementation and configuration...

Documents